Posted in Internet
of Things
The ‘Internet of Things’ (or IoT, which we have
written about before) is generating fresh interest
among legislators and regulatory authorities on both sides of the border.
Recent initiatives in both the United States and Canada are likely to bring
renewed political attention to the transformative potential of this technology
space, particularly for its use in private enterprise and the delivery of
public services.
At the same time, these developments also raise significant
questions about the inherent privacy, security, and consumer protection issues
underlying the IoT’s rapidly growing network of interconnected objects and data
sources.
U.S. Developments on
the Internet of Things
Last week, the U.S. Senate’s
Commerce, Science, and Transportation Committee considered the bipartisan bill S. 2607, the Developing Innovation and Growing the Internet of Things Act (or, DIGIT). The bill is scant on specifics with respect to
the regulation of the IoT, and instead puts in place a process to consult with
industry, technology, consumer, and business stakeholders to develop frameworks
for the emerging space. The bill effectively uses a commission-style approach
to inform Congress of the best way lawmakers can help stimulate the IoT.
Under
the bill, a working group will be convened that will ultimately submit a report
that includes an analysis of the IoT spectrum’s needs, budgetary challenges,
consumer protections, privacy and security matters, and the current use of the
technology by government agencies.
Proponents of DIGIT point to the need to
develop proactive policies to support the growth of these technologies – such
as those policies that facilitated the rapid expansion and adoption of the Internet
by citizens and the public and private sectors. The bill is expected to pass out of the Committee
with bipartisan support.
DIGIT resembles a recent call for
public input from the U.S. Department of Commerce’s National
Telecommunications & Information Administration (NTIA) – a process which
may play out concurrently if the bill passes. On April 5, the NTIA posted a Request for Comment on potential policy
issues with the IoT, and specifically, on what role the government ought to
play in this area.
After analyzing the comments
it receives, the NTIA intends to issue a ‘green paper’ that “identifies key
issues impacting the deployment of these technologies, highlights potential
benefits and challenges, and identifies possible roles for the federal
government in fostering the advancement of IoT technologies in partnership with
the private sector.”
Similar to DIGIT, the NTIA consultation appears to be aimed
primarily at putting in place conditions that will help foster the growth,
public, and commercial benefit of the IoT. That said, the detailed Request for
Commentpaper identifies that the IoT raises issues with respect to privacy, and
points to recent examples involving theconnection of cars and medical devices to the Internet. On this
point, the NTIA references the Federal Trade
Commission’s proposals on privacy and cybersecurity with respect to the
IoT.
Canada’s Privacy
Commissioner Discusses IoT Privacy Issues
In contrast to these U.S.
policymakers’ focus on developing an ecosystem for the commercialization, use,
and expansion of the IoT, Canadian discussion of the IoT remains largely
confined to the realm of the nation’s privacy regulators. The most recent
report of observations and concerns related to the IoT was published by Canada’s Privacy
Commissioner in February 2016.
The research paper, billed as An introduction to
privacy issues with a focus on the retail and home environments, is intended to help
Canadians understand “how their privacy will be affected by the online
networking of uniquely identified, everyday objects”. The paper aptly focuses
on the impact the IoT will have on individual consumers,
canvassing privacy-related issues such as customer profiling; accountability
and transparency; the ethics of data collection, access and correction rights;
and the challenges of device and information security.
The Privacy Commissioner
concludes that technological developments with respect to the IoT has not been
matched by an equivalent improvement in the existing privacy governance models.
The Commissioner’s report is not a call for public input, but similar to the
American initiatives, it raises more questions about the future of IoT
regulation than it answers. The report concludes that limited information or
considerations have taken shape concerning the privacy implications of having a
large amount of data points collected, aggregated across devices, and analyzed
by device owners and third parties unknown to the individual user.
Underscoring its engagement
with IoT issues, the Privacy Commissioner announced that it will participate
in a coordinated online audit to analyze the impact of everyday connected
devices on privacy. The audit will be coordinated by the Global Privacy
Enforcement Network (“GPEN”), a global network of approximately 50 data
protection authorities (“DPAs”) from around the world, and will target three
categories of connected devices:
·
home IoT devices (e.g connected camera systems);
·
health connected devices (e.g. connected scales,
glucometers, etc. intended to collect health-related data); and
·
connected devices for well-being (e.g. connected
watches and bracelets that can collect geolocation data, count footsteps,
or analyze sleep quality).
The aim will be to verify
the quality of the information provided to users, the level of
security of the data flows, and the degree of user empowerment (e.g.,
user’s consent, etc.).
Takeaways for
Canadian Organizations
The extent of any new
regulations and policies designed for the specific issues raised by the IoT
remains to be seen. Consultation and study exercises on both sides of the
border are seeking to reconcile the need to support the IoT’s development (and
the benefits to consumers and service users), while reasonably harnessing the
risk of its intrusions. The level of interconnectivity facilitated by the IoT
is not only a disruptive force for business, public, and convenience services,
but necessitates the risk of single-point vulnerability for users and systems.
As these initiatives evolve
into new policies and regulations, organizations will need to adapt their
existing privacy standards and protocols to align with IoT rules and
requirements. Moreover, present industry-established frameworks may not align
with either the existing general standards or new IoT requirements.
Organizations should be mindful of lawmakers’ concerns to ensure that their use
of data captured through the IoT technologies remains consistent with legal
standards in the jurisdictions in which they operate.
As organizations enter the IoT
space with their products and services, the importance of establishing a
privacy management program to stay up to speed on legal developments can help
to ensure that IoT participants integrate compliance requirements in a
meaningful and systematic way.
No comments:
Post a Comment